Light Dark Auto

RBAC

RBAC filter reference

GSLAvailable since: v1HTTP
Role Based Access Control (RBAC) provides service-level and method-level access control for a service. Requests are allowed or denied based on the action and whether a matching policy is found. For instance, if the action is ALLOW and a matching policy is found the request should be allowed.

Configuration

The base GSL type is #RBACFilter

rules

CUE Definition: #RBAC
Package: envoyproxy.io/config/rbac/v3

Specify the RBAC rules to be applied globally. If absent, no enforcing RBAC policy will be applied. If present and empty, DENY. If both rules and matcher are configured, rules will be ignored.

rules: {
    action: "ALLOW"
    policies: { ... }
}

matcher

CUE Definition: #Matcher
Package: envoyproxy.io/deps/cncf/xds/go/xds/type/matcher/v3

The match tree to use when resolving RBAC action for incoming requests. Requests do not match any matcher will be denied. If absent, no enforcing RBAC matcher will be applied. If present and empty, deny all requests.

shadow_rules

CUE Definition: #RBAC
Package: envoyproxy.io/config/rbac/v3

Shadow rules are not enforced by the filter (i.e., returning a 403) but will emit stats and logs and can be used for rule testing. If absent, no shadow RBAC policy will be applied. If both shadow rules and shadow matcher are configured, shadow rules will be ignored.

shadow_rules: {
    action: "ALLOW"
    policies: { ... }
}

shadow_matcher

CUE Definition: #Matcher
Package: envoyproxy.io/deps/cncf/xds/go/xds/type/matcher/v3

The match tree to use for emitting stats and logs which can be used for rule testing for incoming requests. If absent, no shadow matcher will be applied.

shadow_rules_stat_prefix

string

If specified, shadow rules will emit stats with the given prefix. This is useful to distinguish the stat when there are more than 1 RBAC filter configured with shadow rules.

Example

Here is an example of RBAC configuration. It has two policies:

  • Service account “cluster.local/ns/default/sa/admin” has full access to the service, and so does “cluster.local/ns/default/sa/superuser”.
  • Any user can read (GET) the service at paths with prefix /products, so long as the destination port is either 80 or 443.
gsl.#RBACFilter & {
  #options: {
    rules: {
      action: "ALLOW"
      policies: {

        // Service admin role
        "service-admin": {
          permissions: [ { any: true } ]
          principals: [
            { authenticated: principal_name: exact: "cluster.local/ns/default/sa/admin" },
            { authenticated: principal_name: exact: "cluster.local/ns/default/sa/superuser" },
          ]
        }

        // Product viewer role
        "product-viewer": {
          permissions: [ {
            and_rules: rules: [
              // Match GET requests
              {
                header: {
                  name: ":method"
                  string_match: exact: "GET"
                }
              },
              // ...on the /product url prefix
              {
                url_path: path: prefix: "/products"
              },
              {
                // use OR to match either port 80 or 443
                or_rules: rules: [
                  { destination_port: 80 },
                  { destination_port: 443 },
                ]
              }
            ]
          } ]
          principals: [ { any: true } ]
        }
      }
    } // end rules
  }
}

Note: this example is adapted from Envoy’s documentation.